Amazon's Rufus shopping assistant spilled its system prompt and went off-brand
Rufus, the AI shopping assistant Amazon built into its store, turned out to be easy to talk out of its job. In a September 2024 disclosure through Mozilla's 0DIN program, researchers showed that ASCII-encoding tricks slipped past Rufus's guardrails and got it to produce content it was supposed to refuse. Separate research got the bot to reveal its own system prompt and internal security instructions, and to wander off-topic entirely - at one point suggesting Pepsi as a "healthier" alternative when asked about Coca-Cola, which is not the sort of thing a store wants its sales assistant volunteering. By 2026 the jailbreaks had a second life as a way to use Rufus as free general-purpose AI. No breach of customer data was confirmed; the damage was to the idea that bolting an LLM onto your storefront is a low-risk move.
Incident Details
Tech Stack
References
A salesman who forgets what he sells
Amazon built Rufus to be a shopping assistant. It lives inside the store, answers questions about products, compares options, and nudges you toward a purchase. It has exactly one job, and the entire value of that job depends on it staying inside a narrow lane: talk about the things Amazon sells, in ways that help Amazon sell them.
Rufus turned out to be remarkably easy to coax out of that lane. Across a run of security research, the bot was shown to leak its own instructions, produce content it was explicitly built to refuse, and even talk down the products it was supposed to be moving. The store's AI salesman could be persuaded to stop being a salesman.
The encoding trick
The most concrete finding came through 0DIN, Mozilla's bug bounty program for generative AI, in a disclosure dated September 8, 2024. Researchers found that Rufus's safety filters could be defeated with a combination of ASCII decimal encoding and some strategic obfuscation. The idea is simple and a little embarrassing for the defenders: the guardrails scan the text of a request for prohibited content, but if you feed the request in as numeric character codes rather than plain words, the filter does not recognize what it is looking at. The model, however, happily decodes the numbers back into text and acts on the instruction. The guard checks the envelope; the model reads the letter inside.
0DIN classified the result as a "Level 3: Significant Risk," noting the bypass allowed an attacker to get around Rufus's restrictions on providing information hazards and content that violates laws. In other words, the same trick that got Rufus to answer off-topic questions could get it to produce things a retailer very much does not want its branded assistant associated with.
Reading the bot its own instructions
Encoding was not the only weakness. Separate testing showed that after a few pointed questions, Rufus would start disclosing the contents of its own system prompt and internal security instructions - the hidden scaffolding that tells the model who it is, what it may discuss, and what it must refuse. For anyone trying to attack a system, its system prompt is a map. Once you can read the rules the model was given, you can reason about how to break them, and you can see whatever internal guidance the company embedded and assumed customers would never see.
Researchers also demonstrated that Rufus would simply answer questions that had nothing to do with shopping. On a first attempt, testers got it discussing the architectural differences between x86 and ARM processors. That is a fine thing to know and a strange thing for a retail assistant to be lecturing about, and it confirmed that the model powering Rufus was a general-purpose engine wearing a shopping-assistant costume that could be removed with minimal effort.
Recommending the competition
The most on-brand failure, in the sense of being exactly the kind of thing a brand fears, came from Tenable's testing. Asked about Coca-Cola, Rufus offered that "while Coca-Cola is a popular brand," it "would suggest healthier alternatives like Pepsi." Set aside that Pepsi is not meaningfully healthier than Coke; the point is that Amazon's own sales assistant, embedded in Amazon's store, was volunteering to steer a shopper away from a product toward a named competitor, with an editorial health opinion attached.
This is the quiet risk of putting a general-purpose model in a sales role. It does not actually understand that its job is to sell; it understands that it should be helpful, and "helpful" as a language model has been trained to perform it can mean disparaging a product, recommending a rival, or offering unsolicited nutritional advice that no retailer signed off on. The guardrails are supposed to keep the model's helpfulness pointed in a commercially useful direction. When they slip, the model reverts to being a chatbot that will say whatever seems reasonable, brand relationships be damned.
The 2026 encore: free inference
The jailbreaks got a second act. By 2026, the fact that Rufus is a general-purpose model with removable guardrails had turned it into a target for a different kind of abuse: people using it as free AI. If you can break Rufus out of shopping mode, you have an unmetered chatbot running on Amazon's compute, useful for anyone who has hit a rate limit on a paid service and wants free inference courtesy of a retailer's customer-support budget. That reframing, covered in outlets like Tom's Hardware, is less a security catastrophe than a demonstration of the same underlying fact from a new angle: the thing behind the shopping assistant is a capable model that its owner does not fully control.
Why this belongs on the pile
No customer data breach was confirmed, and Amazon has continued to iterate on Rufus. So what is the harm? The harm is the repeated, documented demonstration that a major company shipped a customer-facing AI assistant whose guardrails could be bypassed with encoding tricks, whose internal instructions could be read back out of it, and whose brand discipline evaporated under light pressure. That is the same failure class as the DPD chatbot that swore at a customer and the Gap assistant that could be steered into discussing topics a clothing retailer would rather avoid: a production assistant that behaves as intended right up until someone asks it nicely, in the right encoding, to stop.
The recurring lesson is that a shopping assistant is a large language model with a costume, and the costume is thinner than the deployment implies. Guardrails built on filtering the words of a request do not survive contact with an adversary who can spell those words in numbers. And a model that will recommend Pepsi in Coca-Cola's own aisle is a reminder that "helpful" and "on-message" are not the same objective, no matter what the marketing said when the bot went live.
Discussion